fix CVE-2022-26354 and CVE-2022-26353

vhost-vsock: detach the virqueue element in case of error (CVE-2022-26354) virtio-net: fix map leaking on error during receive (CVE-2022-26353) Signed-off-by: yezengruan <yezengruan@huawei.com>
2022-04-15 16:51:47 +08:00 · 2022-04-15 16:51:47 +08:00 · 188d1bd76f
commit 188d1bd76f
parent 389df97ed4
3 changed files with 102 additions and 1 deletions
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 65
+Release: 66
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -348,6 +348,8 @@ Patch0335: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
 Patch0336: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch
 Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch
 Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch
+Patch0339: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
+Patch0340: virtio-net-fix-map-leaking-on-error-during-receive.patch

 BuildRequires: flex
 BuildRequires: bison
@ -744,6 +746,10 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Fri Apr 15 2022 yezengruan <yezengruan@huawei.com>
+- vhost-vsock: detach the virqueue element in case of error (CVE-2022-26354)
+- virtio-net: fix map leaking on error during receive (CVE-2022-26353)
+
 * Wed Apr 06 2022 yezengruan <yezengruan@huawei.com>
 - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
 - pvrdma: Ensure correct input on ring init (CVE-2021-3607)
--- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
+++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
@ -0,0 +1,56 @@
+From 1f20e48288a39d9ea92e743707fd08de77bfe584 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 28 Feb 2022 10:50:58 +0100
+Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error
+
+In vhost_vsock_send_transport_reset(), if an element popped from
+the virtqueue is invalid, we should call virtqueue_detach_element() to
+detach it from the virtqueue before freeing its memory.
+
+Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+Fixes: CVE-2022-26354
+Cc: qemu-stable@nongnu.org
+Reported-by: VictorV <vv474172261@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ hw/virtio/vhost-vsock.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/hw/virtio/vhost-vsock.c b/hw/virtio/vhost-vsock.c
+index 0371493197..bcd8fa4967 100644
+--- a/hw/virtio/vhost-vsock.c
+++ b/hw/virtio/vhost-vsock.c
+@@ -220,19 +220,23 @@ static void vhost_vsock_send_transport_reset(VHostVSock *vsock)
+     if (elem->out_num) {
+         error_report("invalid vhost-vsock event virtqueue element with "
+                      "out buffers");
+-        goto out;
+        goto err;
+     }
+ 
+     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+                      &event, sizeof(event)) != sizeof(event)) {
+         error_report("vhost-vsock event virtqueue element is too short");
+-        goto out;
+        goto err;
+     }
+ 
+     virtqueue_push(vq, elem, sizeof(event));
+     virtio_notify(VIRTIO_DEVICE(vsock), vq);
+ 
+-out:
+    g_free(elem);
+    return;
+
+err:
+    virtqueue_detach_element(vq, elem, 0);
+     g_free(elem);
+ }
+ 
+-- 
+2.27.0
+
--- a/virtio-net-fix-map-leaking-on-error-during-receive.patch
+++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch
@ -0,0 +1,39 @@
+From 72f59cd8d3c2a7a1f4a64cdfafd6c333d5bf4ad3 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 8 Mar 2022 10:42:51 +0800
+Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive
+
+Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+tries to fix the use after free of the sg by caching the virtqueue
+elements in an array and unmap them at once after receiving the
+packets, But it forgot to unmap the cached elements on error which
+will lead to leaking of mapping and other unexpected results.
+
+Fixing this by detaching the cached elements on error. This addresses
+CVE-2022-26353.
+
+Reported-by: Victor Tom <vv474172261@gmail.com>
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2022-26353
+Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/virtio-net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 22d430c7c1..28e9cd52ff 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1382,6 +1382,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+ err:
+     for (j = 0; j < i; j++) {
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
+         g_free(elems[j]);
+     }
+ 
+-- 
+2.27.0
+